Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configure FINRST session teardown age on ASA

Is there a way to configure how fast a session is torn down on the ASA when it sees a RST or FINs? Right now it tears the connection down immediately but I would like it to have a fast age of 1 second instead before expiring the session.

On some Cisco routers you can configure

ip tcp intercept finrst-timeout <seconds>

Is there an equivalent on the ASA firewall?

4 REPLIES
Super Bronze

Configure FINRST session teardown age on ASA

Hi,

I have not ever had to look for such an option nor have I seen one ever in any case.

So it seems to me that there is no such option on the ASA.

There are some things you can modify but doesnt seem any of them refer to the one you are familiar with on the router side

ASA(config-tcp-map)# ?

TCP-map configuration commands:

  check-retransmission         Check retransmit data, disabled by default

  checksum-verification         Verify TCP checksum, disabled by default

  default                               Set a command to its defaults

  exceed-mss                       Packet that exceed the Maximum Segment Size set by

                                           peer, default is to allow packet

  invalid-ack                          Packets with invalid ACK, default is to drop packet

  no                                     Negate a command or set its defaults

  queue-limit                         Maximum out-of-order packets queued for a connection,

                                           default is 0 packets

  reserved-bits                      Reserved bits in TCP header are set, default is to

                                          allow packet

  seq-past-window                Packets that have past-window seq numbers, default is

                                          to drop packet

  syn-data                           TCP SYN packets that contain data, default is to

                                         allow packet

  synack-data                     TCP SYN-ACK packets that contain data, default is to

                                         drop packet

  tcp-options                       Options in TCP header

  ttl-evasion-protection          Protection against time to live (TTL) attacks,

                                          enabled by default

  urgent-flag                         Urgent flag and urgent offset set, default is to

                                          clear flag and offset

  window-variation                 Unexpected window size variation, default is to allow

                                          connection

Then there are the global timeout values

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

Then theres also the option to modify some connection/timeout limits

ASA(config-pmap-c)# set connection ?

mpf-policy-map-class mode commands/options:

  advanced-options               Configure advanced connection parameters

  conn-max                          Keyword to set the maximum number of all

                                          simultaneous connections that are allowed.  Default

                                          is 0 which means unlimited connections.

  decrement-ttl                     Decrement Time to Live field

  embryonic-conn-max          Keyword to set the maximum number of TCP embryonic

                                          connections that are allowed.  Default is 0 which

                                          means unlimited connections.

  per-client-embryonic-max    Keyword to set the maximum number of TCP embryonic

                                          connections that are allowed per client machine.

                                           Default is 0 which means unlimited connections.

  per-client-max                    Keyword to set the maximum number of all

                                          simultaneous connections that are allowed per

                                          client machine. Default is 0 which means unlimited

                                          connections.

  random-sequence-number   Enable/disable TCP sequence number randomization.

                                          Default is to enable TCP sequence number

                                          randomization

  timeout                             Configure connection timeout parameters

I am personally not quite sure why the firewall should keep a connection in its connection table if its already been closed/resetted by the client/server?

To my understanding ASA always removes the connection when it sees a TCP Reset or when both client and server have terminated the connection with FIN.

- Jouni

New Member

Configure FINRST session teardown age on ASA

The issue is an inside client appliance is doing very abrupt close (SSL teardown followed by RST) for performance reasons, and the return packets from outside server (SSL teardown followed by FIN) are being denied by the ASA because the session was already terminated. This ends up in a lot of no connection deny logs and I'd like to keep the volume down.

The closest thing I can find is sysopt connection timewait, where it hangs on to the session for an additional 15 seconds. Not sure if that can be applied to a particular set of hosts though.

Super Bronze

Re: Configure FINRST session teardown age on ASA

Hi,

Seems I have completely forgotten that command.

According to the command reference it doesnt really list any options to use this for only certain hosts. So it seems to be a global setting for all connections. (8.4 softwares Command reference but seems unchanged from 8.2 for example)

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1572802

If it was possible I would imagine that it would have been among the options listed in the earlier reply which you can apply to only certain connections, for example with an ACL indentifying the source and destination hosts.

EDIT: I am not sure what using TCP State Bypass would do in this case. It might allow the packets through but I am not certain.

Here is one document related to TCP State Bypass (though totally different scenario)

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Here is the command reference section explaining the TCP State Bypass

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s1.html#wp1451695

- Jouni

Super Bronze

Re: Configure FINRST session teardown age on ASA

Edited some information to the above reply.

- Jouni

292
Views
0
Helpful
4
Replies
CreatePlease login to create content